DNS Subdomain – Configure Child NS Records in DNS

domain-name-systemns-record

If we have example.com we would setup things something like this:

$ORIGIN example.com.
@  1D  IN  SOA ns1.example.com. hostmaster.example.com. (
                  2002022401 ; serial
                  3H ; refresh
                  15 ; retry
                  1w ; expire
                  3h ; nxdomain ttl
                 )
          IN  NS     ns1.example.com.
          IN  NS     ns2.example.com.

since in the parent zone .com. there is already NS record for the example.com. child zone and A glue record for the ns1.example.com. for what purpose do we state NS records again in the child zone?

and also, do we need to state A record for the name servers in the child zone itself?

Best Answer

The way it works

The authoritative NS records reside inside the zone itself (and provided in ANSWER section when the authoritative server is queried), just like all other records that are part of that zone.

To be able to traverse the tree, referral/delegation/authority information (NS and any glue A/AAAA records necessary) is also added to the parent zone.
This information, however, is not treated as the "real answer", the answer lacks the AA (authoritative answer) flag and the NS records are in the AUTHORITY section to indicate that this is just information on who has the actual answer.
One implication of this is that if you do a direct lookup of NS records you will follow this referral and query the authoritative server despite having just seen what should be the same information.

Why was it defined to work this way?

Presumably because it was considered proper/clean/logical that all authoritative records reside inside the zone that they belong to and that there should be authoritative records also for NS.

Could this have been defined differently?

Yes. Look at for instance how DS records were defined when introduced much later. In that case there is no such record inside the child zone, instead it's the parent that is authoritative.

Can I do it differently?

No. Because it was defined the way it was and all the software out there works based on how it was defined, things will break (often in subtle ways) if you don't do it properly.

tl;dr

You need the same NS records both in your zone and as delegation information in the parent zone. Much the same way, any glue A/AAAA records also need to actually exist as real authoritative records.

Related Solutions

DNS SOA Record – Recommended TTL Default

The actual traffic rate to the site is irrelevant.

All of those settings (except for "default TTL") only affect how frequently your domain's secondary DNS servers poll the primary DNS server for updates.

If your zone only changes infrequently (which I believe yours does) then your value for "refresh" is currently a bit on the low side. Typically the primary should send a NOTIFY message to each of the secondaries whenever there's an update at which point the secondaries grab the zone file immediately. These days the "refresh / retry / expire" mechanism is only a backstop to that.

In any event, it's likely that your DNS provider is automatically syncing changes to all of the relevant DNS servers on the fly without using DNS's built-in synchronisation mechanisms so the actual values are probably irrelevant.

Note that the "default TTL" field no longer means what it says. The real default TTL is set (in BIND at least) with the $TTL directive, and that's only used when there isn't an explicit TTL set on each record.

The "default TTL" field's meaning was changed in RFC 2308 and it's actually a hint for negative caching. If your server returns a negative response (e.g. NXDOMAIN or NODATA) it's how long the remote server should wait before trying again.

The current value is a bit on the low side, but there's no harm leaving it as is. It's often ignored anyway.

DNS – How to Test Glue Record

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".